Changing Permissions for an Application

The default policy for each domain limits the permissions of
Java EE deployed applications to the minimal set of permissions required
for these applications to operate correctly. Do not add extra permissions
to the default set (the grant block with no codebase, which applies
to all code). Instead, add a new grant block with a codebase specific
to the applications requiring the extra permissions, and only add
the minimally necessary permissions in that block.

If you develop multiple applications that require more than
this default set of permissions, you can add the custom permissions
that your applications need. The com.sun.aas.instanceRoot variable
refers to the domain-dir. For example:

An alternative way to add permissions to a specific application
or module is to edit the granted.policy file for
that application or module. The granted.policy file
is located in the domain-dir/generated/policy/app-or-module-name directory. In this case, you add
permissions to the default grant block. Do not delete permissions
from this file.

When the application server policy subsystem determines that
a permission should not be granted, it logs a server.policy message
specifying the permission that was not granted and the protection
domains, with indicated code source and principals that failed the
protection check. For example, here is the first part of a typical
message:

Do not add java.security.AllPermission to
the server.policy file for application code. Doing
so completely defeats the purpose of the security manager, yet you
still get the performance overhead associated with it.

As noted in the Java EE specification, an application should
provide documentation of the additional permissions it needs. If an
application requires extra permissions but does not document the set
it needs, contact the application author for details.

As a last resort, you can iteratively determine the permission
set an application needs by observing AccessControlException occurrences
in the server log.

If this is not sufficient, you can add
the -Djava.security.debug=failure JVM option to
the domain. Use the following asadmin create-jvm-options command,
then restart the server: